-
-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to scan, and report on, outdated transitive dependencies #204
Comments
@pmonks Thank you for your suggestion! I'll consider implementation. |
@pmonks Sorry for so late reaction. |
Moved to feature/transitive branch. |
I tried the feature/transitive branch, but it appears to hang: $ git clone https://github.com/liquidz/antq.git
Cloning into 'antq'...
remote: Enumerating objects: 6163, done.
remote: Counting objects: 100% (2690/2690), done.
remote: Compressing objects: 100% (1027/1027), done.
remote: Total 6163 (delta 1694), reused 2149 (delta 1640), pack-reused 3473
Receiving objects: 100% (6163/6163), 750.34 KiB | 396.00 KiB/s, done.
Resolving deltas: 100% (3662/3662), done.
$ cd antq/
$ git switch feature/transitive
branch 'feature/transitive' set up to track 'origin/feature/transitive'.
Switched to a new branch 'feature/transitive'
$ clj -A:outdated --transitive
WARNING: Implicit use of clojure.main with options is deprecated, use -M
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Downloading: cloverage/cloverage/maven-metadata.xml from clojars
Downloading: org/slf4j/slf4j-nop/maven-metadata.xml from central
Downloading: org/slf4j/slf4j-nop/2.0.7/slf4j-nop-2.0.7.pom from central
Downloading: lambdaisland/deep-diff2/2.8.190/deep-diff2-2.8.190.pom from clojars
Downloading: lambdaisland/kaocha/1.82.1306/kaocha-1.82.1306.pom from clojars
Downloading: com/github/liquidz/build.edn/0.9.203/build.edn-0.9.203.pom from clojars
Downloading: metosin/malli/0.11.0/malli-0.11.0.pom from clojars
Downloading: cloverage/cloverage/1.2.4/cloverage-1.2.4.pom from clojars
Downloading: org/tcrawley/dynapath/1.1.0/dynapath-1.1.0.pom from central
Downloading: org/clojure/core.rrb-vector/0.1.2/core.rrb-vector-0.1.2.pom from central
Downloading: progrock/progrock/0.1.2/progrock-0.1.2.pom from clojars
Downloading: com/nextjournal/beholder/1.0.2/beholder-1.0.2.pom from clojars
Downloading: lambdaisland/clj-diff/1.4.78/clj-diff-1.4.78.pom from clojars
Downloading: hawk/hawk/0.2.11/hawk-0.2.11.pom from clojars
Downloading: io/github/clojure/tools.build/0.9.3/tools.build-0.9.3.pom from central
Downloading: riddley/riddley/0.2.0/riddley-0.2.0.pom from clojars
Downloading: borkdude/dynaload/0.3.5/dynaload-0.3.5.pom from clojars
Downloading: mvxcvi/arrangement/2.1.0/arrangement-2.1.0.pom from clojars
Downloading: borkdude/edamame/1.3.20/edamame-1.3.20.pom from clojars
Downloading: fipp/fipp/0.6.26/fipp-0.6.26.pom from clojars
Downloading: lambdaisland/tools.namespace/0.1.247/tools.namespace-0.1.247.pom from clojars
Downloading: pogonos/pogonos/0.2.1/pogonos-0.2.1.pom from clojars
Downloading: io/methvin/directory-watcher/0.17.3/directory-watcher-0.17.3.pom from central
Downloading: net/incongru/watchservice/barbary-watchservice/1.0/barbary-watchservice-1.0.pom from central
Downloading: org/babashka/cli/0.5.40/cli-0.5.40.pom from clojars
Downloading: net/incongru/watchservice/barbary-watchservice/1.0/barbary-watchservice-1.0.jar from central
Downloading: io/methvin/directory-watcher/0.17.3/directory-watcher-0.17.3.jar from central
Downloading: com/nextjournal/beholder/1.0.2/beholder-1.0.2.jar from clojars
Downloading: lambdaisland/clj-diff/1.4.78/clj-diff-1.4.78.jar from clojars
Downloading: fipp/fipp/0.6.26/fipp-0.6.26.jar from clojars
Downloading: org/clojure/core.rrb-vector/0.1.2/core.rrb-vector-0.1.2.jar from central
Downloading: org/slf4j/slf4j-nop/2.0.7/slf4j-nop-2.0.7.jar from central
Downloading: mvxcvi/arrangement/2.1.0/arrangement-2.1.0.jar from clojars
Downloading: org/tcrawley/dynapath/1.1.0/dynapath-1.1.0.jar from central
Downloading: io/github/clojure/tools.build/0.9.3/tools.build-0.9.3.jar from central
Downloading: hawk/hawk/0.2.11/hawk-0.2.11.jar from clojars
Downloading: riddley/riddley/0.2.0/riddley-0.2.0.jar from clojars
Downloading: cloverage/cloverage/1.2.4/cloverage-1.2.4.jar from clojars
Downloading: borkdude/edamame/1.3.20/edamame-1.3.20.jar from clojars
Downloading: borkdude/dynaload/0.3.5/dynaload-0.3.5.jar from clojars
Downloading: org/babashka/cli/0.5.40/cli-0.5.40.jar from clojars
Downloading: pogonos/pogonos/0.2.1/pogonos-0.2.1.jar from clojars
Downloading: metosin/malli/0.11.0/malli-0.11.0.jar from clojars
Downloading: progrock/progrock/0.1.2/progrock-0.1.2.jar from clojars
Downloading: lambdaisland/tools.namespace/0.1.247/tools.namespace-0.1.247.jar from clojars
Downloading: com/amazonaws/aws-java-sdk/1.4.3/aws-java-sdk-1.4.3.pom from central
Downloading: org/codehaus/jackson/jackson-mapper-asl/1.8.9/jackson-mapper-asl-1.8.9.pom from central
Downloading: org/codehaus/jackson/jackson-core-asl/1.8.9/jackson-core-asl-1.8.9.pom from central
Downloading: org/codehaus/jackson/jackson-core-asl/1.8.9/jackson-core-asl-1.8.9.jar from central
Downloading: javax/enterprise/cdi-api/1.2/cdi-api-1.2.jar from central
Downloading: org/codehaus/jackson/jackson-mapper-asl/1.8.9/jackson-mapper-asl-1.8.9.jar from central
Downloading: com/amazonaws/aws-java-sdk/1.4.3/aws-java-sdk-1.4.3.jar from central
Downloading: javax/interceptor/javax.interceptor-api/1.2/javax.interceptor-api-1.2.pom from central
Downloading: javax/el/javax.el-api/3.0.0/javax.el-api-3.0.0.pom from central
Downloading: org/apache/httpcomponents/httpclient/4.1/httpclient-4.1.pom from central
Downloading: org/apache/httpcomponents/httpcomponents-client/4.1/httpcomponents-client-4.1.pom from central
Downloading: org/apache/httpcomponents/project/4.1.1/project-4.1.1.pom from central
Downloading: commons-codec/commons-codec/1.4/commons-codec-1.4.pom from central
Downloading: org/apache/httpcomponents/httpcore/4.1/httpcore-4.1.pom from central
Downloading: org/apache/commons/commons-parent/11/commons-parent-11.pom from central
Downloading: org/apache/httpcomponents/httpcomponents-core/4.1/httpcomponents-core-4.1.pom from central
Downloading: javax/el/javax.el-api/3.0.0/javax.el-api-3.0.0.jar from central
Downloading: javax/interceptor/javax.interceptor-api/1.2/javax.interceptor-api-1.2.jar from central
Downloading: commons-codec/commons-codec/1.4/commons-codec-1.4.jar from central
Downloading: org/apache/httpcomponents/httpclient/4.1/httpclient-4.1.jar from central
Downloading: org/apache/httpcomponents/httpcore/4.1/httpcore-4.1.jar from central
[##################################################] 144/144
<Ctrl+C after some time>
$ clj -A:outdated --transitive
WARNING: Implicit use of clojure.main with options is deprecated, use -M
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
[##################################################] 144/144
<Ctrl+C after some time> |
@pmonks Sorry for late reply. |
@liquidz I just ran it on itself to begin with - the commands I used (minus output) were: $ git clone https://github.com/liquidz/antq.git
$ cd antq/
$ git switch feature/transitive
$ clj -A:outdated --transitive |
@pmonks Ah, I missed that. Thank you! In my environment, it took some time but the results were reported. As mentioned above(#204 (comment)), if there are many outdated dependencies, it will take time to get changes URLs, so I recommend using the
|
@liquidz ah yes it works (and quickly!) with the |
@pmonks Just released v2.5.1089 :) |
There are cases where it is useful to know about outdated transitive dependencies, since these can (sometimes) be safely overridden in a package's own dependency set without having to wait for the intermediate dependency to release a new version with upgraded dependencies. This is especially important for libraries that are commonly found as transitive dependencies in Clojure projects, but have a long history of security vulnerabilities; Jackson being a prime example.
That said, I don't think this behaviour should be the default, and could be gated behind an option such as
--transitive
.The text was updated successfully, but these errors were encountered: